[OAUTH-WG] Re: OAuth Digest, Vol 188, Issue 13

Carl Cousino <carlcousino@hotmail.com> Mon, 17 June 2024 12:26 UTC

Return-Path: <carlcousino@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DB6C1D6FC5 for <oauth@ietfa.amsl.com>; Mon, 17 Jun 2024 05:26:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.132
X-Spam-Level:
X-Spam-Status: No, score=-1.132 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcUYZUJPBQT0 for <oauth@ietfa.amsl.com>; Mon, 17 Jun 2024 05:26:49 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2039.outbound.protection.outlook.com [40.92.19.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18846C1DA1EC for <oauth@ietf.org>; Mon, 17 Jun 2024 05:26:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kwW6eEtEpjt4MOVFQvFtUUoWL+biXgQVrKT/2E6+XhwCdDgaexOaWkSyIXrBn2ENxSBVsvBbSqQsl6a9/yw24WIWOy+0GaFrMl5JQHzKz2srj6m8OMTkXmfiIKjQZj+4hmbTmtqEIsw2koiKoMHVlfPsZs8a93voZ+9WzPQjbwzAYnxmWMKHoLK5gOoyb/vGdkz8+xznAFtCcaz3FaEPjgAnvp64lWVdfjpnEeacraS7XV8B6tlS2vrVbnmRs6rHx1Ae5lS5KVshyS/wpU5i5m7xFNnKVc8/03wWhFKJYXFzPrdDjGNRUnND2BgOhcqE3BS8atUiK7G/Nz3P2dRiPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B77VcnWmG06/6p1IIdGCPdCZ8+/WokeenK4LYP/DsjE=; b=gTZl83Alhr65fBIrHtv8w3dYblXbHY5kTd/lUihUCZ8luKcwxPP5Dqe9PkLZCm94KJnMtroM70/KQNlolcTaYOXiVjpezRWq3gssM4KHZiDeWzSdZcHwQRJRNZwyq+lweM3vkeW1/XOCx17BFubh7eajb8lDnZ1VYzVjdmD4iNtQ6oWM7YbRj/nEyF3r8obuuRdkKts6skTF+YjeX0eOTq6OIeFWciPnqzZKR9+oyO8JYOWoKOEfuI3efZSBzzZs2yUWaYR74sOzb/EAZ/BoEyJjgFByZGbrVmmAX25vhFssYxEsYrNiDgP0Ri0CI2WgawALwYpAL3TfnZPF6Ex6mA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B77VcnWmG06/6p1IIdGCPdCZ8+/WokeenK4LYP/DsjE=; b=RMGul8/weHmp3gssb5sdENJntruU0CbTeJdGZAbBRCUom9El21NlxDQ6PG3JWmArptufCFE/E5aOAl28519+xvV2L3fjoAFpPDH1ywYBGFOnhVQA7i4I3bN76aOzIWjpycWxzCtYtN3DKJ9Odid0F1pCAoO8gby3bw4FTXkis/c6DHZ9+zjRNbeRVKYSSHgoi94Nks8rOrH6CdiFFhegqAkD4w+d/d+ZzQrskHl+ReYxcLgTcC8sj5lRNGeQZ7PRVn/WCtdlfaU3eSR9G8H8QqBycJ6NYXibTJiUaVtQ/CibyICZpXnny3I1tEF4k5/yBLNHV/4NK08fD3lIJpShHw==
Received: from BL0PR02MB3844.namprd02.prod.outlook.com (2603:10b6:207:4b::25) by LV8PR02MB10096.namprd02.prod.outlook.com (2603:10b6:408:181::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7677.31; Mon, 17 Jun 2024 12:26:45 +0000
Received: from BL0PR02MB3844.namprd02.prod.outlook.com ([fe80::b695:163f:e73b:50c0]) by BL0PR02MB3844.namprd02.prod.outlook.com ([fe80::b695:163f:e73b:50c0%6]) with mapi id 15.20.7677.030; Mon, 17 Jun 2024 12:26:45 +0000
From: Carl Cousino <carlcousino@hotmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth Digest, Vol 188, Issue 13
Thread-Index: AQHau9u/nMQ4CP09QU2I6xcUwxZoabHL63Ct
Date: Mon, 17 Jun 2024 12:26:45 +0000
Message-ID: <BL0PR02MB3844A438E4365F713D8D0B90B1CD2@BL0PR02MB3844.namprd02.prod.outlook.com>
References: <171809539593.6354.6944226789652072564@ietfa.amsl.com>
In-Reply-To: <171809539593.6354.6944226789652072564@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [RHjsR98KYXNI1YKyFQnXk4ZPP9bt+T8C]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BL0PR02MB3844:EE_|LV8PR02MB10096:EE_
x-ms-office365-filtering-correlation-id: 5a84f88f-3d4c-462d-5a91-08dc8ec8c0b2
x-microsoft-antispam: BCL:0;ARA:14566002|9400799021|461199025|3412199022|440099025|4302099010|102099029|1602099009|56899030;
x-microsoft-antispam-message-info: YYmfbAwM1DQmEPzZaTZ0bDs4A6B2MD2jsfpmty7BfxHYjZH0eI0qMS0tgni+5J22aqgTxM2xSKEgntzZG+ih3qZcm3Qmtx3rc0t9WQxPtaqredbJdPIf1rdUPOQBx47aVgEUvbaRG8rJimLA81Sm7SvpLY4THAOhmaP9X44qTi9kk4XOEBgSS6rilsSuzLs3m+6Tmfy4peDZssODfRzsfkXuucO40HJO8kCgd7lS1WIQouk94C0Gfi+TfNsByyygPKQ+qx8wsTSlcM4AjgE4kb0+2/gmstiqs9LF3rl7H7UE1Ymi4K4ySnbvNyoppwZa9RL7lJkEBApBMnWVSLZ/hwRHXq532L4ym914uVZ72wTXetzxm7UYMKykeY3DqCBcezIiUWYEfL25psS7hdioMHQF0hv/VBGokQ2ouA0s1NVcef5dVwvYYOHm1MWASh6E9hUWmsQN3YMJQrt0H6/+ayyBpMsxmx5/qY78msyiVC3+Gok1CFFyGNgAghBUmQW3AuM7mrKVSHjSLukZbDviHn77xBkXDhsbPA67NMQSwg2kD2jrWhTvJISulklIX2Ayk58Sb6BCYBggWBxNMaWaJVez7oj4RXMV142LGtFNT4sZQN3W3wrFCsvxfpZBoLFCxe4rYaawjBsgtJZK3y+6BOZf5TSVVE939D3ZsnBm+FdfpPEsrin3bt5Y0jo+Sr6VW6YlTos/R3r2NoI79zqfnyOODPPlBn4ZCyxF+iPSMOU=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gF466pg572D+lV0SxRhlCI3Skd9yWY3ledAQsE5OeSl7sG/CxB7R2s1kqCHmoqqdmH05vAsmZiL0pbuDwA1uxMapk0IdG8KUV6MrVjs1mGx2QO8p/y9VP7ZmyG2D5WI7Ca01bNaes6ZDcdCFzshIcigzuYEymJkyZg8I8DshUzObZJckbU0ou3pp11GAa7QC3yguHDI/ef+/fOSZAaiK6KpNcoM7tRwzsZ9W658rPby6fbgjW0ogP8JjiSoL8f6drKqPDV/DOmlmOz0Dd4Ph1LMpA9cuwPZWyWpmOJ5R6XLVfPniX42InqhRR5WJ3N6jTA5ZkC3bALkQehzROJP9BlJc4CumxIT7t8LmTtJSU3Xw9B7c8sVuTkErGWC1xG+xtToBLadMeVbQ4ChZLmCWVSBunOPfM80bH0T91ABnusl7VVu/P2mB3u+OVgsUSpJ/Y0TiN30irPHKqKwcabjr58mVH/o0BTTZK+422fRxFMVNfFOiHEZg2I8VEZc5H3cUAMKm5pWc7Zr7UnKpx2OzOzZkJo25B0FD+KKokPLY/tIkrS5L9TKaBtI7YgGlf8yqR9iEKuhRZ8hTpnpLQzaGe/AensQJz9C3Jr/AegzUVPYcODmH+2HEQoifYtvFyWVQNVQ7BovS6qS2Ad8t9ONvC+kZh3wZanzeBJUBZmbad9Ho9Fa86SIp/fHWedu8t9Zgsp/6rSIPko7jlPoSLjLbjCvScKPA21Cwf0TQsEA+lZcZpcp68ximftANAIddXKsuIalUHF7zYoTe/RnNVh2Q+ZH00Ly/L11TVxVv+om9GRvdZ7I7sEV1bbjKSNeVgs62A2OzXqBQlNATksXJyvK71sxiMxrhdDi+4LFG31xaBwuNWNDE4wh8IOyBUM/cf/K/YMFhS0AaAPOntj/UH3pp+4sX7FgcSSXvoslhPTHtPl3emZi27eG5RuqIDj97qSHiRbP4nlc3lBdnNvbwe9fMSkYpAnLH3HIsgkP1ZX9IaGGShgBP2FFkIzTO2XgXpUxyNT4EKiVHIGpQSdqLP7MTwqQGnc9gQL8Ak6f1KAMbra6iVdA6Pa6SNG/fsGhA3LE6tR2ghNvwbQDoN9d8mlTyuCe9/Qgbo2Kxy5GY5G9L9Mc+i9Ul+YzhM/9y4KQr4zVcKmX1g1kG7NX1aJUahvW9VIXFdA6+zNHepTCMT2Plst2HUTn1zDIyqj08RxjWb+qaD2uCpJ8Lo7Of7wqGG09OP/DkVhr13dkoGbVC04i2/bU=
Content-Type: multipart/alternative; boundary="_000_BL0PR02MB3844A438E4365F713D8D0B90B1CD2BL0PR02MB3844namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR02MB3844.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a84f88f-3d4c-462d-5a91-08dc8ec8c0b2
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2024 12:26:45.6975 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR02MB10096
Message-ID-Hash: 3G3GZTPDP7JFYCAQ4MM2UTLRQRERIAV7
X-Message-ID-Hash: 3G3GZTPDP7JFYCAQ4MM2UTLRQRERIAV7
X-MailFrom: carlcousino@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Digest, Vol 188, Issue 13
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k9cyTGI_ePKYupyHLEKEUWZH5Eo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Help, unsubscribe


Thanks,

Carl Cousino

________________________________
From: oauth-request@ietf.org <oauth-request@ietf.org>
Sent: Tuesday, June 11, 2024 4:43 AM
To: oauth@ietf.org <oauth@ietf.org>
Subject: OAuth Digest, Vol 188, Issue 13

Send OAuth mailing list submissions to
        oauth@ietf.org

To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
        oauth-request@ietf.org

You can reach the person managing the list at
        oauth-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."

Today's Topics:

   1. Re: Call for adoption - PIKA (Giuseppe De Marco)
   2. Re: Call for adoption - PIKA (Giuseppe De Marco)


----------------------------------------------------------------------

Message: 1
Date: Tue, 11 Jun 2024 10:25:14 +0200
From: Giuseppe De Marco <demarcog83@gmail.com>
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
To: Richard Barnes <rlb@ipv.sx>
Cc: oauth <oauth@ietf.org>
Message-ID:
        <CAP_qYymt7-Bhgdx9FCNhYv_TN3wwmxpqkxwNnX_hyseH_hP9FQ@mail.gmail.com>
Content-Type: multipart/alternative;
        boundary="000000000000f6c84e061a990124"

Hey Richard,

My reply was very verbose, thank you for the time spent in reading it.

The problem I see in the communities around the openid/ietf/any-other
technical specification is the way we use the term trust and how we aim to
achieve trust from a technical perspective.

I can show that my name is Giuseppe (subject id) and that you are talking
exclusively with me (secure cryptographic material exchange and
confidentiality in transaction) but this doesn't solve the problem we want
to solve through a trust establishment, because identity and key
attestations doesn't give us any trust.

As mentioned by Mike, OpenID Connect Core implementations already uses TLS
and subject id comparisons to achieve this.

The example of the surgery made with the chainsaw is something already
heard by architects that have implemented SAML2 and that reluctant to move
to OAuth 2.0. They said <<useless complexity>> or <<all those endpoints
only increases the attack surface>>.
Several years was spent to demonstrate why OAuth 2.0 was designed in a way
to satisfy several design principles about scalability and specialization
of the endpoints to specific functionalities.

I can only help, where needed or requested, to demystifying the complexity
of the relationships willing to find trust (in this context, at least, from
a technical pespective only) and be sure that who is going to create new
specifications is aware of the previous ones, of the problem that he's
trying to solve and recognize what is intentionally excluded from the scope.

I would like to continue this conversation with the will to merge the
openid federation approach and the PIKA that I see an important
specification to create a bridge to the X.509 world.
this also requires trust and reducing conflict between authors and
consequently between specifications I believe is an intrinsic goal of our
community.

If I had a little more time...

Il giorno mar 11 giu 2024 alle ore 05:09 Richard Barnes <rlb@ipv.sx> ha
scritto:

> Hi Giuseppe,
>
> To be blunt, solving the use cases we're talking about with OpenID
> Federation is like doing surgery with a chainsaw.  You might achieve the
> intended goal, but the results will be messy.
>
> The trust model we are addressing is one that already exists: A JWT is
> issued by an issuer identified by a URL, and the relying party needs to get
> keys that are verifiable associated with that issuer's URL.  The only thing
> we are doing is trading HTTPS for JWT signing for how that verifiable
> association is made.  It is explicitly *not* a federated model; X.509 is
> already baked into it and does the job well.
>
> Your first point is a good one, though.  It could be a good idea to have
> an indicator here of how the issuer intends the keys to be used (for
> issuing ID tokens vs. Verifiable Credentials, say).  Happy to have that
> filed as a first issue on an adopted document.
>
> Cheers,
> --Richard
>
>
> On Mon, Jun 10, 2024 at 6:50 PM Giuseppe De Marco <demarcog83@gmail.com>
> wrote:
>
>> Hi,
>>
>> I appreciate the introduction of PIKA, which demonstrates a commitment to
>> addressing current challenges. However, I have identified some key areas of
>> concern that need attention:
>>
>> 1. The current documentation lacks clarity regarding the number and scope
>> of cryptographic keys, particularly in terms of their intended use across
>> different protocols. Given that an issuer can serve multiple roles, such as
>> an authorization server, a credential issuer, or a relying party issuing
>> signed request objects, it is important to consider the benefits of using
>> distinct, specialized keys for different protocols and roles and how PIKA
>> would propose a model to achieve this.
>>
>> 2. We already have a mechanism to bring multiple public keys, for
>> multiple scopes/protocols, in a chain of signed JWT. This is OpenID
>> Federation which doesn't depend to X.509 but at the same time is able to
>> distribute also X.509 certificates using the `x5c` claim within the jwk
>> claims and for legacy applications. I believe that this last point is
>> important, since I see X.509 as a requirement only for legacy applications.
>> I would not design a new infrastructure using X.509 as a foundamental
>> requirement for a trust framework.
>>
>> 3. I kindly suggest to clarify which is the meaning/intention of the term
>> trust, from which kind of perspective PIKA aims to approach the mechanisms
>> of the trust evaluations and for which trust topology (federative, end to
>> end, hybrid ...), the roles of the trust authorities or trusted third
>> parties and so on.
>>
>> 4. I read that PIKA reuses the same requirements of openid federation.
>> Probably this needs more clarifications. OpenID Federation provides a
>> mechanism to establish the trust to a subject and obtain its public keys
>> and not only this, since it allow a secure interoperability through a
>> secure metadata exchange and also the distribution of compliance assertions
>> called trust marks.
>>
>> 5. The trust model proposed in PIKA relies fundamentally on a WWW CA
>> (Certificate Authority) for purposes beyond its original design.
>> Specifically, assessing compliance with shared rules, such as a trust
>> framework or national regulations, falls outside the scope of WWW X.509
>> CAs. Consequently, using this type of binding to establish a higher level
>> of trust may not be appropriate. The use of the term "trust" in this
>> context could potentially be misleading. It would be beneficial to
>> reconsider the terminology and mechanisms used to better align with the
>> intended functions and limitations of the technologies employed.
>>
>> therefore,
>>
>> I would therefore suggest defining the terms trust and trust model, and
>> the purposes of the specification in relation to these.
>> Then list the problems that this specification intends to solve and the
>> requirements identified by it.
>>
>> If it is trust and the mechanisms for validating trust in relation to
>> common elements or properties between different entities (and mutual
>> recognition) we could start working on common elements already well
>> established in openid federation and that they could be further explored
>> with your contribution and requirements.
>>
>> From my side, I find the use of openid federation as a broad-based
>> solution evident. Today I am having a positive conversation with other
>> authors about the birth of two new drafts dedicated to openid federation
>> and I believe that this is a good time to join forces to build something
>> together with strong harmonizations, not just some endpoint picking.
>>
>> From my perspective Iam probably more interested in understand what
>> obstacles you have found in using federation and what additional features
>> or endpoints you intend to use to satisfy your requirements that, in fact,
>> I would mark with greater determination within the draft.
>>
>> Even If I read it with pleasure and curiosity, appreciating the work and
>> the effort spent of it, I look forward to receiving more information here
>> in this thread from the pika's authors.
>> Currently, I am hesitant to support this specification as it requires
>> additional time and comparative analysis before I can evaluate it
>> positively.
>>
>> Thank you for sharing and for the work made todate
>> Giuseppe
>>
>> Il giorno lun 10 giu 2024 alle ore 13:48 Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com> ha scritto:
>>
>>> All,
>>>
>>> This is an official call for adoption for the *Proof of Issuer Key
>>> Authority (PIKA)* draft:
>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-barnes-oauth-pika%2F&data=05%7C02%7C%7C54d3061fd91e4e17f48c08dc89f2e049%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638536923438275130%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yk0tWI9LVAgcs5xDwsOn7tn8YNg%2BDGeBTtl1vC3YcbQ%3D&reserved=0<https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/>
>>>
>>> Please, reply *on the mailing list* and let us know if you are in favor
>>> or against adopting this draft as WG document, by *June 24th*.
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>
-------------- next part --------------
A message part incompatible with plain text digests has been removed ...
Name: not available
Type: text/html
Size: 9743 bytes
Desc: not available

------------------------------

Message: 2
Date: Tue, 11 Jun 2024 10:42:58 +0200
From: Giuseppe De Marco <demarcog83@gmail.com>
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
To: Tom Jones <thomasclinganjones@gmail.com>
Cc: oauth <oauth@ietf.org>
Message-ID:
        <CAP_qYynE8wuvVCCBKFJai8LshMC5qY3PrNXYCOwnTq5C0gRyFQ@mail.gmail.com>
Content-Type: multipart/alternative;
        boundary="0000000000006acf15061a9941ef"

Ciao Tom,

Public Key Infrastructure satisfies the requirements to provide public
keys. Technically, using X.509 certificates represents a consolidated
approach.
Giving public keys doesn't help in establishing the trust or fully proving
the compliance to shared rules, that's why openid federation authors insist
that openid federation is not only a pki.

TLS is not removed, we use X.509 based pki on the web, therefore also using
federation.

TLS is used to establish confidentiality with an endpoint, establishing
trust to a subject only because it controls a private cryptographic key is
similar to the weakness about the bearer tokens.
Therefore, for instance, in advanced ecosystems and implementation is
required to demonstrate the proof of possession of the tokens because
bearers alone are not secure enough. This is more complex but required in
the real wold.

The point is: what is trust, how to establish trust in the real world,
which are the technical layers that we should (even in a modular way) take
into account to achieve our goals. Do we have the same goals?
Don't stop working together, let's keep the conversation to achieve our
goals in an harmonic way.

Il giorno mar 11 giu 2024 alle ore 06:11 Tom Jones <
thomasclinganjones@gmail.com> ha scritto:

> This whole problem did not need to happen. When the federation spec was
> being created I asked them not to deviate unnecessarily from pki. But the
> very guys that are on this thread told me that they were not a pki and so
> there was no reason for them to follow existing rules. This is entirely a
> problem of there own making. So let them fix their own mistakes.
>
> thx ..Tom (mobile)
>
> On Mon, Jun 10, 2024, 8:37 PM Watson Ladd <watsonbladd@gmail.com> wrote:
>
>> On Mon, Jun 10, 2024 at 8:33 PM Michael Jones
>> <michael_b_jones@hotmail.com> wrote:
>> >
>> > We all know that TLS certificates are handled by platform layers used
>> by applications and not the applications themselves.  There is no code that
>> understands X.509 certificates in most applications that use TLS.  They are
>> not equivalent in complexity.
>> >
>> >
>> >
>> > The draft would require adding code directly understanding the
>> structure and fields of X.509 to applications using it.  Eliminate that,
>> and I’ll support adoption.
>>
>> I don't understand your proposal. An X509 certificate is the only way
>> to link a DNS name to a key at a given point in time as we can
>> leverage the Web PKI. Absent that, what do you do?
>>
>> Also, I'm not sure what you mean by platform layers. Many of them
>> expose a function to verify a signature with a key in an X509 cert or
>> verify a cert chain, even outside the context of TLS. Are there
>> particular ones that would have a problem you are concerned about?
>>
>> Sincerely,
>> Watson Ladd
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
-------------- next part --------------
A message part incompatible with plain text digests has been removed ...
Name: not available
Type: text/html
Size: 4226 bytes
Desc: not available

------------------------------

Subject: Digest Footer

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org


------------------------------

End of OAuth Digest, Vol 188, Issue 13
**************************************